Wednesday, July 3, 2013

More documentation from Microsoft about properly naming your AD domain

I've written about this before and not to beat a dead horse, but I just came across this TechNet article on Server 2012 AD DS and found this nugget part-way down the page:

Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For example: corp.contoso.com.

Just more proof that split-horizon naming for your AD is not recommended, no matter what your Lync or Exchange people tell you. There's some extra configuration on their end, especially with certificates, but split-horizon is not recommended and should not be deployed. Since this is from Server 2012 documentation, there's really no way anyone can dispute this by calling it outdated or no longer relevant.

2 comments:

  1. Just to be clear, if I control control company.com (DNS and public website) and I want to use internal.company.com as an AD name, should I or should I not add a CNAME record for that subdomain? I'm thinking not, because of security considerations, but I'm new to these matters. What would you advise?

    ReplyDelete
  2. You do not. There is no reason for external (internet) to need to resolve internal names. Essentially you would be replicating split DNS of same name internal as same name external...

    ReplyDelete